Improper Public Key Authentication in cURL Affects Multiple Users
CVE-2025-15224

3.1LOW

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 8 January 2026

What is CVE-2025-15224?

A vulnerability in cURL during SSH-based file transfers using SCP or SFTP can lead to improper public key authentication. When users are prompted for public key authentication, cURL incorrectly interacts with a locally running SSH agent, potentially allowing unauthorized access during transfers. This issue underscores the need for users to ensure they are using secure configurations to mitigate risks.

Affected Version(s)

curl 8.17.0

curl 8.16.0

curl 8.15.0

References

https://curl.se/docs/CVE-2025-15224.json

https://curl.se/docs/CVE-2025-15224.html

https://hackerone.com/reports/3480925

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 8, 2026
Vulnerability Reserved
Dec 28, 2025

Credit

Harry Sintonen

CVE-2025-15224 Data

JSON

Curl

What is CVE-2025-15224?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit